For Zoom, popularity has come with increased scrutiny. The video conferencing app, which is currently the top free app on Google Play Store in India, has seen daily meeting participants cross 200 million in March alone using both free and paid sessions. In December 2019, this stood at 10 million daily participants, which shows just how much the service has grown thanks to the COVID-19 pandemic and almost all companies in many countries adopting work from home.
But the lockdown enforced almost across the world has meant Zoom is no longer limited to the enterprise world with everyone from friend circles to schools using it extensively. And as with any app or service that gains sudden popularity, Zoom has also been flooded with its share of problems.
The Zoombombing problem
For one, there is the problem of Zoombombing, where trolls who are not supposed to be a part of a meeting, have found it easy to crash in, taking over screens, sharing objectionable content and shouting racial slurs in some cases. In India too, the Broadcast Audience Research Council (BARC)’s press conference over Zoom had to be suspended when trolls took control of the screen to draw objectionable content on the presentation screen.
Zoom has realised this is a serious problem and acknowledged the problem, and pointed out some tips that would be useful for its growing customers, many of the new ones who are probably not as tech-savvy. Security experts also agree with this.
“Zoom was purpose built for enterprise. It was built for people that have IT departments. Now, we have everybody using it. For the education sector they have made some changes to make it more secure by default. There is the use of waiting rooms by default,” John Shier, senior security advisor at Sophos told indianexpress.com over a Zoom call.
In a detailed blog post, Zoom said it would be changing the default settings for educational users so virtual waiting rooms are on by default. What this means is that when a teacher sets up a class, and sends a link out to students, everyone will not be able to join the class automatically. They would first be part of a virtual waiting room, which would give the teacher the opportunity to check if someone who is not supposed to be part of the class is there, and not let them in.
It has also changed the settings to ensure that for education users, only teachers can share content in class. This means only the teacher would have access to the Screen Share feature, and no student or anyone else will be able to take over and broadcast objectionable content.
For users though it would be best to make themselves familiar with settings to the app when setting up a call, is what Ritesh Chopra, Country Director, NortonLifeLock India told indianexpress.com over a call. “If you set up without knowing all the security features, that’s when you are vulnerable to Zoombombing. Use a unique ID if you are using a large session. Also create a waiting room. Better to start the call five minutes later,” he said.
Zoom security flaws
But the problem is not just limited to people crashing into Zoom meetings uninvited. Security researchers have also highlighted several security problems with Zoom’s apps, including serious flaws on the Mac client. The most prominent one was revealed by ex-NSA hacker Peter Wardle, who revealed in his blog post, serious zero-day vulnerabilities on Zoom’s Mac app. A zero-day vulnerability is one about which even the company is not aware.
The two bugs as explained by Wardle in his blog post could give root-level privileges to a hacker who has access to the device thanks to the Zoom client, and would enable them to install malware or spyware on the device. The second bug would allow the hackers to take control over the mic and webcam by inserting malicious code inside the Zoom library. Both flaws could lead to serious security flaws for Mac users.
But this was not all. Two security researchers revealed how Zoom could be used to steal Windows credentials quite easily. The researchers revealed that Zoom could be used to send victims string of texts, which Zoom on Windows converts into clickable links. If the user clicks on the link, Zoom will send the Windows usernames and passwords to the address in the link. The Universal Naming Convention (UNC) bug, again poses serious risks for users of the app, especially those who might unwillingly click on such links without knowing the full implications.
To Zoom’s credit, the company has confirmed a fix and pushed out a patch for all these vulnerabilities. In the blog post, the company said it “released fixes for both Mac-related issues raised by Patrick Wardle and a fix for the UNC link issue”.
Still if users do not install the patch, be it on Mac or Windows, they are at risk. “As far as Mac users are concerned, if you haven’t patched your local instance of Zoom, I would say you know if you still have to do a Zoom meeting, go and get that patch right away. Don’t delay it. If for some reason you can’t patch it right now, the only mitigating advice that we can give you is don’t leave the app running in the background because that poses a risk,” Shier said.
He also pointed out that Zoom will face a lot more scrutiny because people are using it so much more. “Security researchers are looking at this product right now, the software. The best practice is to patch right away and close these holes. All software has bugs, Zoom is no exception to that,” he added.
And Zoom seems to be aware of this. The company has announced a freeze on features for the next 90 days, and instead focus on bugs and security problems. “Over the next 90 days, we are committed to dedicating the resources needed to better identify, address, and fix issues proactively. We are also committed to being transparent throughout this process,” Eric S Yuan Founder and CEO, Zoom wrote in the blog post.
Zoom says it will shift all engineering resources to focus on safety, and privacy issues. Zoom also said it will conduct a comprehensive review with third-party experts and representative users to understand and ensure the security of all of their new consumer use cases.
The other risks for Zoom
As with any popular product, there are various ways that cybercriminals can exploit the situation. With Zoom, one possible method could be sending phishing links, which claim to be from Zoom meetings, except they are not really for such a meeting. A phishing link will typically look like a Zoom room or meeting, but try and trick users into giving up their sensitive information.
“What we have seen is that over 1700 new domains were created in the name of Zoom. As much as 25 per cent of them were created in the last week. This is where new phishing websites will come up, and they will impersonate some of these sessions as well. There could be sessions created, which would mirror Zoom,” Chopra told us.
He cautions that users should be careful about receiving files and emails from unknown senders. “Users should be aware of lookalike domains, sometimes there are spelling errors, sometimes they will change a few alphabets or letters to make them read similar,” he added.
According to Shier, while Sophos is yet to see phishing attempts using fake Zoom links, this is certainly possible. “There is the possibility of people using Zoom meeting invite links as a lure. So you could make a URL look like a Zoom meeting invite, when in fact it’s sending you to a site to download some malware,” he pointed out. He said such kind of abuse is easy to do in the context of Zoom because the invite usually comes in the form of a meeting URL.
Zoom and privacy
It was also highlighted that the app does not support end-to-end encryption as is commonly understood, despite making claims to the contrary. The company has now come out to say that while it uses encryption to secure the call, it is not end-to-end encrypted and apologised for the confusion caused, adding it did not mean to deceive consumers.
In the blog post, Zoom also said, “To be clear, in a meeting where all of the participants are using Zoom clients, and the meeting is not being recorded, we encrypt all video, audio, screen sharing, and chat content at the sending client, and do not decrypt it at any point before it reaches the receiving clients.” The company said that “no user content is available to Zoom’s servers or employees at any point during the transmission process”.
As part of the mitigating measures Zoom has also announced plans for a transparency report that will include details on information related to legal requests for data, records, or content. It is also enhancing the existing bug bounty programme. There’s no doubt that the scrutiny on Zoom is not going away any time soon, and the company is acutely aware of this.
Work from Home appears to be the norm for many of us. We at Indian Express tech have some articles which could help make this easier. First, how to optimise your WiFi, which is really important. Read on that here. Next, we explain how to save data on WhatsApp given we might be using a lot more of this. Then we explain how you can balance screen time while doing work from home. Also these video calling apps can be useful when relying on work from home. Don’t let it be all about work, you can rely on these fitness apps to continue that workout during the lockdown. And finally some general tips to keep in mind while working from home.